Key Risk Indicators, Scorecard, and Template

Properly designed risk framework supports risk discussion in your company. It combines indicators that allow estimating risk probability, risk impact, and risk control actions.

Define and map KRIs

KRIs are not that different from KPI; Risk Management frameworks are not that different from the Balanced Scorecard. Let’s start the discussion about Key Risk Indicators best practices.

The Idea of Risk

What is risk and how can one measure and control it? Intuitively one understands that risk is something regarding a danger/threat that might happen with a certain probability and result in some type of negative outcomes. This perception is generally correct with one exception: risk doesn’t always need to be a threat for a business, it might be an opportunity as well.

The idea of risk

The older definition of risk in ISO was “a chance or probability of loss,” while the latest ISO 31000:2009 defines risk as “the effect of uncertainty on objectives.”

In other words, the modern definition of risk recognizes that risk is not only about threats, but about opportunities as well.

Losing your key employee might be a threat on the one hand, but on the other hand you might find a new one that will bring to your company new skills and ideas. Everything depends upon the business context (business objectives).

What are Key Risk Indicators?

As their name states, KRIs are indicators that are key for the risk management process.

  • “Key” word implies that there cannot be hundreds of KRIs; so if you have 100+ KRIs, then most likely these are just risk metrics.

Most of the principles that we discussed for KPIs (Key Performance Indicators) apply to KRI:

  • They need to have a proper business context,
  • Their need to be measurable,
  • There have to be a person responsible for KRI,
  • There should be a buy in from the team, etc.

Having said that, I recommend checking out the article: 12 Steps KPI System. When reading, replace “KPI” with “KRI” and you can easily use all the same ideas and recommendations.

For now, it is enough to define KRI as those risk metrics that are an important part of your risk management portfolio. As it comes from the definition of the risk in ISO standard, the ultimate decision of what is and is not a risk depends on a company’s objectives, so be careful when copying KRIs from others.

The Difference Between KRI and KPI

In some literature KPIs and KRIs are strongly divided, the first are responsible for business performance and the second are about risk. As an example of a typical KPI that is not a KRI that is often used is “Net Profit.”

  • “Net profit is a KPI because it doesn’t tell us anything about the risk level or risk control!” – often suggest authors.

The thing is that “Net profit” by itself doesn’t tell us either anything about performance or the way one wants to increase it!

To make a use of “Net profit” we need to put it in a proper business context, add thresholds, baseline, and target marks, and add some relevant action plan:

  • KPI: “Net profit”
  • Current level: $200 K
  • Baseline: $205 K
  • Target: $300 K
  • Stop light: red
  • Action plan: “We failed because of the old sales team! Hire a new sales team!”


Have a look at this KPI! Doesn’t it look like a KRI now? For sure, we don’t have metrics for probability and impact, but we can easily add them…

Another thought that supports the idea of the similar nature of KRIs and KPIs:

  • KPIs need to be aligned with the business strategy; and how one determined this strategy? Didn’t we use SWOT (where T stands for “threats”) method to come up with hypothesis (risk analysis) and possible solutions (risk control)?

Well, I’m exaggerating, but I personally don’t see any fundamental difference. I am ready to argue about this in the comments. For sure, KRIs are more “risk-oriented,” but if one needs, a KRI can be converted into a KPI and vice-versa.

Mapping Risks to KRI. Defining Key Risk Indicators.

Here comes an interesting part. Let’s talk about Risk Management. Managing risks is about managing the chain of:

  • Detecting/predicting threats/opportunities
  • Estimating the chance that they will happen (their probability)
  • Controlling the impact/outcomes

Normally, we cannot map all these aspects of the risk in one KRI, so we will normally need 3 indicators:

  • Indicator that would measure probability
  • Indicator that would measure the impact 
  • Indicator that would measure action plan

For example, for such KRI as “Poor mentoring of employees” we would have:

  • Time spend on mentoring per week, hours. This indicator estimates risk probability, the less hours one spends mentoring others, and the more likely the company will face this risk.
  • Employee engagement index, %. This indicator helps to understand the impact of poor communication. Less mentoring means less engagement from the part of employees.
  • Action plan: improve mentoring procedures; relevant indicator might be something like “Leadership training passed, hours.” We need to teach managers a proper leadership paradigm that would include mentoring.

Define and map KRIs

Which of those indicators is a KRI? I’d say that the pair of “probability” and “impact” indicators form the KRI. While the action plan indicator relates to the risk control procedures.

Template for a KRI

Here is a template that one can use for a Key Risk Indicator.

Risk Template:

Risk Indicators Risk Control Plan Action Indicator
Risk Identification:
Probability Indicator: ________
Impact Indicator: _________
Action 1: _________
Action 2: _________
Indicator 1: _________
Indicator 2: _________

Example discussed above will look like:

Risk Indicators Risk Control Plan Action Indicator
Risk Identification:
“Poor mentoring of employees”
Probability Indicator:
Time spend on mentoring per week, hours
Impact Indicator:
Employee engagement index, %
Action 1:
Improve mentoring procedures
Indicator 1:
Leadership training passed, hours.

Leading/Lagging KPIs vs. Probability/Impact KRIs

When mapping business strategy we always suggest making sure that there are:

  • Leading indicators aligned with business objectives,
  • Lagging indicators aligned with business objectives, and an
  • Action plan.

Compare this to the “probability,” “impact,” and “control plan” and you will see what I mean.

Properly described strategy looks very similar to the properly done risk and control assessment.

How do Risks Appear on the Map? Reporting Culture.

As business objectives are projections of properly defined strategy, risks are projections of a properly done risk analysis.

  • The basic step is to start with a classical risk assessment, drawing root-cause diagrams, brainstorming possible problems and getting a list of the risks as a result.
  • The most important step is to implement in your company a proper reporting culture. Employees should not only report about evident problems that already happened, but also about situations where they were lucky enough to avoid the problem, but it could have happened. Such reports will allow you to identify risks that you might have not thought about before.

Establish a culture similar to one in NASA: if the problem appeared once, they conducted a careful research about possible reasons why it happened; even if it did not repeat.

How to Use Risk Assessment and Control Model

The risk assessment model that was described above is nothing new, but you need it just as you need a strategy map in business performance management. Specific numbers might be tricky and won’t give you a specific information. Why have this model then?

  • As strategy map helps to discuss strategy, risk assessment model/scorecard needs to be a base for further discussions related to the risk identification and control.

In this way you will implement risk control into the company’s DNA. It’s much better than regular formal reporting of KRIs that has nothing to do with real problems.

The List of the Most Popular KRIs

We have the list of 89 KRIs delivered both in .BSC (BSC Designer) and Excel formats. Don’t take these risk indicators as must-have for your business. As with KPIs, KRIs need to be aligned with business context, if not, then you will be evaluating and trying to manage risk that will never occur in your business.

KRIs in BSC Designer

In BSC Designer you can easily manager your KRIs. 

Select an indicator and select “Risk” as measurement unit:

Select risk measurement unit

Define risk mitigation plan:

Risk mitigation plan

Define risk probability:

Define risk probability

Define risk impact:

Risk impact

In this case BSC Designer can visualize necessary data on the risk chart:

Risk diagram in BSC Designer

The main benefit is that indicators can be aligned with objectives on the strategy map:

KRI aligned with a goal on strategy map

Key Take-Aways

  • Risk is not just a threat, it is a business opportunity as well
  • Put KRIs into proper business context
  • Implement proper reporting culture
  • Use risk scorecard as a base for the risk discussions

Thank you for sharing!

Whether you are looking for a professional Balanced Scorecard software, or just researching information about Balanced Scorecard and business strategies, we recommend you to download and try our BSC Designer software (no credit card is required).

We will follow up with you with lessons about the Balanced Scorecard and will keep you informed about the trending articles on

Follow us in Social Media